ttern - Free Web Hosting with PHP, MySQL and cPanel
ttern - Free Web Hosting with PHP, MySQL and cPanel
ttern - Free Web Hosting with PHP, MySQL and cPanel
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
16<br />
the <strong>Web</strong> application to call the function read_message().<br />
This function, like get_message_titles() first checks if the<br />
user who is requesting the reading of a message is<br />
logged-in <strong>and</strong> redirects the user if not. In the next step<br />
the value of the GET parameter named ‘id’ is retrieved<br />
(given that it exists) <strong>and</strong> filtered through the integer value<br />
function. Thus, continuing <strong>with</strong> our previous example, if<br />
the user clicks on the following link: http://example.com/<br />
read_message.php?id=776, the $message_id variable of<br />
the read_message function will contain the number 776.<br />
In the next step, the message id is used to retrieve the<br />
full message from the messages table <strong>and</strong> thus in this<br />
example case the SQL query will be the following:<br />
SELECT from,title,message FROM Messages where message_id = 776;<br />
The <strong>Web</strong> application uses the data <strong>and</strong> prints it out as<br />
HTML to the user. The user reads the message <strong>and</strong> is<br />
happy. Or maybe not ?<br />
Exploiting IT<br />
Those of you who have a security-oriented mindset [4]<br />
may feel a bit uncomfortable <strong>with</strong> the workings of the<br />
Listing 2. A simple Python script which downloads <strong>and</strong> saves the �rst 1024 messages from the<br />
import urllib<br />
import os<br />
os.mkdir("./messages")<br />
for i in range(0,1024):<br />
ATTACK PATTERN<br />
previously described <strong>Web</strong> application. Sure, they check<br />
for SQL injections whenever they use data coming-in<br />
from the user but you feel that something is not quite<br />
right...<br />
Lets look closely at the read_message() function <strong>and</strong> at<br />
the resulting SQL query. We saw that if a user clicks<br />
on link http://example.com/read_message.php?id=776,<br />
the <strong>Web</strong> application will use the id parameter to find <strong>and</strong><br />
retrieve the appropriate message. In fact, this is exactly<br />
where the vulnerability lies-- the <strong>Web</strong> application<br />
uses ONLY the id that the user provided as a means<br />
of reading a message. For the user <strong>with</strong> user_id equal<br />
to 11, the <strong>Web</strong> programmer assumed that he or she<br />
can click only on the links provided by the get_message_<br />
titles() function, thus only click on one of the following<br />
links:<br />
• http://example.com/read_message.php?id=776<br />
• http://example.com/read_message.php?id=779<br />
While it is true that only the these two links will be<br />
available in his INBOX, nothing is stopping the<br />
user from changing the id parameter to any value<br />
current_message = urllib.urlopen("http://example.com/read_message.php?id=%d" % i)<br />
out_file = open("./messages/%d.txt" % i,"w")<br />
out_file.write(current_message.read())<br />
out_file.close()<br />
Listing 3. Adding authorization checks to the vulnerable SQL query<br />
<br />
$result = mysql_query("SELECT * FROM Messages where message_id = {$message_id} <strong>and</strong> to= {$user_id}");<br />
/* The rest of the code is the same <strong>with</strong> the original function*/<br />
[...]<br />
03/2011